[00:08.800 --> 00:15.000]  Hello everybody! Man, this stage is not doing anything for this whole, like, Hackers Are
[00:15.000 --> 00:22.400]  Not Rockstars thing. Yeah, Hackers Are Not Rockstars. Who are rockstars? Rockstars, man.
[00:22.400 --> 00:30.500]  I made a few. We got nothing on them. Alright, so, before I say anything, I want to thank, you know,
[00:30.500 --> 00:36.400]  thank you Baidu. Only Epcon could go to China, and I think only you could make that happen. So, thanks
[00:36.400 --> 00:42.760]  guys, and thanks to all the other sponsors who've brought me. This is my first time in China, first
[00:42.760 --> 00:51.060]  time in Beijing. I've been to Asia before, but never out here. It's really exciting. So, what are we
[00:51.060 --> 00:58.460]  here to do today? Well, this is a keynote talk, so I'm supposed to inspire you all to build crazy,
[00:58.460 --> 01:04.180]  interesting things. This is a technical talk because, you know, they say you stop writing code
[01:04.180 --> 01:09.920]  in your thirties. That is a dirty lie. I've written more code in the last few years than ever in my
[01:09.920 --> 01:20.780]  life. The goal of this talk is to connect a series of concepts you may never have thought were linked.
[01:20.780 --> 01:28.180]  The quote-unquote hacker mindset really is just saying, you know, those things might be connected.
[01:28.180 --> 01:34.260]  Hamburgers and cheese, that's great. Hamburgers and clouds, sure. Anything can be linked, and I kind
[01:34.260 --> 01:41.600]  of want to, like, expand your horizons there. So, let's consider this sort of a skydive. We're going
[01:41.600 --> 01:47.880]  to start with a bird's-eye view, and then we're going to dive straight into the weeds and get
[01:47.880 --> 01:56.740]  ourselves, if you'll excuse me, pun, a bug's-eye view. So, I wanted to start this discussion, you know,
[01:56.740 --> 02:01.840]  there's a problem where we talk about hacking in terms of only software. So, like, if you already
[02:01.840 --> 02:07.920]  understand software, maybe you'll understand what I'm talking about. But what does hacking look like
[02:07.920 --> 02:16.160]  when it has nothing to do with software? And I figured, you know, most of us can see. I do have a
[02:16.160 --> 02:24.360]  hobby on human perception. Ask me about colorblindness sometime. There is a myth in human vision that
[02:24.360 --> 02:29.920]  we see at 60 frames per second. And I say it's a myth because you can run pretty much any experiment you
[02:29.920 --> 02:37.960]  want, and it's like, uh, no. We don't see at 60 frames per second because we don't see at frames per second.
[02:37.960 --> 02:42.540]  Your eye just kind of, like, wanders around and collects a bunch of gunk, and your brain's like,
[02:42.540 --> 02:50.260]  ahhh, what's that? Yeah, this is, uh, this is why dreaming works. This is why you're able to see things when
[02:50.260 --> 02:55.520]  your eyes are closed and you're unconscious. And your brain just makes stuff up. It's kind of cool.
[02:56.420 --> 03:04.240]  But why is the number 60? Because it shows up all over the place. Now, my traditional answer to why 60 frames per second
[03:04.240 --> 03:10.800]  is, oh, they say it has to do with human vision, but really it's 1940s television technology. That's just
[03:10.800 --> 03:19.960]  how fast we ran TVs back then. True, it was how fast we ran TVs back then. But why did they choose 60?
[03:19.960 --> 03:28.840]  They could have chosen any number numbers, but why 60? Um, I didn't realize my answer was incomplete
[03:28.840 --> 03:35.480]  until some news came out of Eastern Europe a few months ago that everyone's clocks were running slow.
[03:35.480 --> 03:41.780]  I actually literally mean, like, the clock radios on their, like, you know, cabinets. Um, European clocks move
[03:41.780 --> 03:48.760]  six minutes after dispute saps power from this electricity grid. Turns out Kosovo and Serbia don't like each other
[03:48.760 --> 03:55.340]  very much on your statement. And, uh, there was some, um, stealing of electricity and it was slowing down
[03:55.340 --> 04:02.600]  the frequency of the power. Just like, uh, water out of a tap has a certain temperature, power out of a wall
[04:02.600 --> 04:10.300]  has a certain frequency that's supposed to be around 60 frames per second or 60 hertz, and it wasn't.
[04:10.300 --> 04:18.200]  It was going a little slow, and so everyone's clock was going slow. Now, you could just have, like, a clock
[04:18.200 --> 04:25.260]  in your clock radio, a little coarse crystal that vibrates, but, uh, you could keep it cheap and use whatever's
[04:25.260 --> 04:31.800]  coming out of the wall, assuming it'll never change. Uh, just because you can doesn't mean you should.
[04:31.940 --> 04:37.840]  Let me tell you how often this happens in security. Oh, that thing, um, we'll just get it from the, the upstream.
[04:37.840 --> 04:42.420]  They'll take care of it for us. Well, they weren't taking care of it, and now the clock's running slow.
[04:43.200 --> 04:50.840]  So, we didn't make television 60 frames per second for human vision. We made television 60 frames per second
[04:50.840 --> 04:59.100]  because there was a 60 frames per second, 60 hertz clock handy. Okay, well, why was that clock 60?
[04:59.100 --> 05:08.760]  Why did the power lines go to 60? So now you just get to keep digging. Power was 60 hertz because in 1890,
[05:08.760 --> 05:16.000]  that was what we were good at making technology do. Uh, according to Wikipedia, the induction motor was found
[05:16.000 --> 05:21.140]  to work well on frequencies around 50 to 60 hertz, but with the materials available in the 1890s,
[05:21.140 --> 05:27.120]  it would not work well on a frequency of, say, 133 hertz. And that was too small to see up there.
[05:27.120 --> 05:31.740]  You actually see, like, all the various frequencies that people paid for, for power lines.
[05:31.860 --> 05:40.860]  So now you get the 60 frames per second thing, which supposedly had to do with vision, actually 1890s power generation.
[05:40.860 --> 05:51.480]  Kind of funny. But let's keep digging. So, um, it's funny. It has nothing to do with human vision.
[05:52.400 --> 05:56.480]  Why did they pick these numbers in the 1890s? Why was this what the materials did?
[05:56.480 --> 06:01.100]  Well, quote, there's a fixed relationship between the number of magnetic poles in the inductive field,
[06:01.400 --> 06:08.500]  the frequency of the alternating current, and the rotation speed. Ah, so now, now it's not 1890s technology,
[06:08.500 --> 06:16.480]  now it's physics, actual physics encourages 60 frames per second. And this is what blew my mind.
[06:16.480 --> 06:23.680]  I wanted to bring this up because I did not expect to find anything close to this when I started digging into the number 60.
[06:25.020 --> 06:30.080]  You know, our brains are made of physics, too. Human vision comes from the brain.
[06:31.720 --> 06:38.860]  Electromagnetic signals, we have an entire series of waves called gamma waves that run at 25 to 100 hertz.
[06:39.540 --> 06:46.300]  Pure speculation, you might have 60 hertz and 60 frames per second and all these things because of physics.
[06:46.360 --> 06:54.840]  And physics is a shared element between power generation in the 1890s, between television and our brains.
[06:55.560 --> 06:59.060]  This might be correct. This might not be.
[06:59.060 --> 07:01.980]  And that is part of hacking, too.
[07:02.660 --> 07:09.520]  You might be thinking, why have I gone to this length in a talk that's supposedly about bugs?
[07:09.720 --> 07:17.420]  And what I really want to get through here is we don't necessarily know why things are the way they are.
[07:17.560 --> 07:25.700]  Usually, as a society, as a people, we do things because we've been doing them, and they mostly worked.
[07:25.700 --> 07:27.620]  What hasn't been a problem?
[07:28.220 --> 07:35.500]  What I want to get across is there's a universe of reasons why things are the way they are.
[07:35.500 --> 07:42.760]  Sometimes they don't need to be that way anymore. Sometimes they really do need to stay that way and we just don't know why.
[07:42.760 --> 07:48.480]  So stay intellectually honest as you go through these deep dives.
[07:48.480 --> 07:55.240]  Understand you really are operating from ignorance. That's actually your strong point.
[07:55.240 --> 07:59.140]  You don't know why the thing is doing what it's doing.
[07:59.360 --> 08:03.300]  That might mean you find something new. It might mean you aren't.
[08:03.300 --> 08:10.860]  Just have some humility as you explore, but also explore. I do it. It's okay.
[08:11.180 --> 08:13.580]  Just know that you're speculating.
[08:13.580 --> 08:26.780]  So, speaking of speculation, let's talk about what is actually going to actually become one of the ugliest bugs we've had to deal with in the last 10 or 20 years.
[08:27.280 --> 08:30.560]  Speculative execution bugs.
[08:31.320 --> 08:35.020]  So there's a couple that people have nicknamed and talked about.
[08:35.020 --> 08:39.000]  I assure you there's a hundred more.
[08:39.000 --> 08:50.060]  And I'm not exaggerating. Number 98, number 99, number 100. There's a giant pile of flaws in this arena.
[08:50.700 --> 08:52.560]  What are a spectrum of them?
[08:52.700 --> 08:58.580]  The best explanation that I've had, that I've been able to explain to people, is that, you know, you ask your friend,
[08:58.580 --> 09:01.720]  Oh hey, you go to the coffee shop? They're like, No!
[09:02.100 --> 09:04.600]  Hey, do you go to the bar? No!
[09:04.940 --> 09:06.420]  Hey, do you go to the club?
[09:07.740 --> 09:09.580]  No!
[09:11.440 --> 09:20.760]  When you say the same thing, but you say it a different time, sometimes you're not saying the same thing.
[09:22.160 --> 09:25.680]  These bugs are timing bugs.
[09:25.680 --> 09:39.160]  These bugs involve a security boundary attempted to be maintained by a microprocessor, where it either is or is not supposed to give you some bit of information.
[09:39.280 --> 09:45.800]  And in fact, it finds out that it's not supposed to. It rejects. It gives you an exception. It gives you an error.
[09:45.800 --> 09:53.460]  But when it gives you the error, it's different, based on some information that you don't already have.
[09:54.060 --> 09:58.620]  Generally, it's the sort of thing where, hey, the first character in this password is A.
[09:58.620 --> 10:01.940]  The first character in this password is B. The first character in this password is C.
[10:01.940 --> 10:07.780]  And when you say C, that is the correct answer, either things go too fast, or things go too slow.
[10:07.960 --> 10:13.060]  In the case of Spectre, it's where you're trying to read data that you're not allowed to.
[10:13.060 --> 10:15.320]  You're told no, but it's the wrong time.
[10:15.780 --> 10:16.980]  Actually, that was Meltdown.
[10:16.980 --> 10:19.820]  With Spectre, you're trying to run a code you're not allowed to.
[10:19.820 --> 10:25.120]  And again, things go faster and slower based on what you were or were not allowed to run.
[10:25.380 --> 10:27.720]  What went wrong?
[10:27.960 --> 10:34.440]  Now, commonly people say when things go wrong, oh, you know, Intel, they were lazy, they were stupid, they were bad people.
[10:34.440 --> 10:41.500]  I have to tell you, in 20 years, I've never seen stupid moralization fix anything.
[10:41.900 --> 10:45.740]  Like, we're engineers. Sometimes things are going to fail.
[10:45.740 --> 10:52.100]  We can either figure out why they fail and do something about it, or we can point and laugh.
[10:52.100 --> 10:56.940]  Don't get me wrong, lots of people like pointing and laughing, and they can go have fun doing that.
[10:56.940 --> 11:02.520]  But as engineers, and hackers are a sort of engineer, we have better things to do.
[11:02.520 --> 11:04.940]  We can point and study.
[11:05.380 --> 11:15.120]  So, digging in, the assumption in a lot of vulnerability analysis for bugs like Spectre and Meltdown,
[11:15.120 --> 11:25.500]  these speculative execution flaws, the assumption was that you could find out that something was in memory, but not what it was.
[11:25.500 --> 11:30.200]  So here's the deal, maybe a little lesson in how microprocessors work.
[11:30.580 --> 11:35.180]  It doesn't matter how fast your chip is, it doesn't matter how powerful it is,
[11:35.180 --> 11:44.080]  it doesn't matter what crazy 3D instructions it can do, if it doesn't have the data in hand to work on.
[11:44.080 --> 11:55.780]  So, a lot of the real world work of making a fast chip is in making sure the right data is available at the right time.
[11:55.880 --> 12:05.200]  So, your system might have gigabytes of memory, it only needs to work on a small subset of data at any given moment,
[12:05.200 --> 12:09.520]  but that data really needs to be available or the chip is just going to sit around like,
[12:09.520 --> 12:15.840]  oh, I guess I gotta wait like 20,000 cycles for the data that I need to work on.
[12:15.840 --> 12:20.960]  That means it's running at 120,000 the speed or so, for certain instructions anyway.
[12:21.640 --> 12:26.360]  So, your chips have caches, they have local stores where it's like,
[12:26.360 --> 12:33.980]  okay, so I have a copy of what's in memory over here, if I need to run it, I don't need to go all the way up to main memory,
[12:33.980 --> 12:36.860]  I've got some what's called my L1 cache.
[12:37.620 --> 12:46.320]  The assumption was that you could know that something was in L1, but not what was in there.
[12:46.720 --> 12:50.620]  So, that was a nice theory.
[12:50.960 --> 12:57.120]  Unfortunately, we have very rich things that we can ask the chip to do.
[12:57.120 --> 13:06.640]  We can tell the chip, hey chip, I want you to go get me this memory plus the value of that memory over there,
[13:06.640 --> 13:12.330]  like the address, it's like, hey, there's a house at 55 Santa Monica,
[13:12.800 --> 13:19.860]  go to 50 and by the way, take that 5 that's over there and add that to the address too.
[13:19.860 --> 13:25.160]  In fact, I don't even know if the 5 over there, whatever is over there, add it to the address.
[13:25.160 --> 13:26.820]  Maybe you end up with 55.
[13:28.640 --> 13:37.540]  So, this action happens without any care for the security model that the chip is trying to maintain.
[13:37.540 --> 13:44.980]  It will simply go ahead and be like, okay, well, I've got this base address of 50, that value over there was 5,
[13:44.980 --> 13:47.820]  I guess I've got to go retrieve 55.
[13:48.680 --> 13:59.060]  Now, as the attacker, you're like, hey, do you know about the address of 51, 52, 53, 54, 55?
[13:59.060 --> 14:02.960]  And 55 actually is already there because that's what was forced in.
[14:03.560 --> 14:08.040]  And so now the attacker knows, okay, that value was 5.
[14:08.300 --> 14:14.660]  There's only 256 possible values of a byte, so you do this 256 times and you get the byte.
[14:14.660 --> 14:19.360]  You might say, oh, but the difference is going to be really small, it's all really fast anyway.
[14:19.360 --> 14:25.520]  Yeah, it's really fast. That means you can do it like a million times in a second.
[14:25.880 --> 14:31.280]  Any small difference multiplied by a million is no longer a small difference.
[14:31.440 --> 14:39.880]  Especially when you can do what's called a CL flush, a cache flush, make the difference as large as possible.
[14:39.880 --> 14:47.120]  So that's kind of the transition that has happened.
[14:47.120 --> 14:52.680]  The shift in attack methodology.
[14:53.900 --> 15:00.220]  But there's something underlying all of this, which I really want people to understand.
[15:00.800 --> 15:08.620]  Spectre and Meltdown and this entire bug class exist because we assumed we could make computers faster.
[15:08.620 --> 15:19.720]  A lot of people are like, why do we have these bugs anyway? Isn't this just math? Can't we prove things are correct?
[15:20.300 --> 15:22.260]  And we can't.
[15:22.260 --> 15:32.480]  The primary consumers of mathematical-proving software in the world are microprocessor designers.
[15:32.480 --> 15:37.120]  You know why? Because when a chip screws up, you can't easily ship a patch.
[15:37.120 --> 15:44.420]  We try, but that stuff is... those bugs are literally etched in stone.
[15:44.420 --> 15:48.040]  That is, in fact, what they're in.
[15:48.120 --> 15:52.960]  We really, really do not like having microprocessor flaws.
[15:52.960 --> 15:59.400]  And so we do a tremendous amount of work with what are called theorem provers, what are called SAT solvers.
[15:59.400 --> 16:06.860]  And we make sure the right bits, when the right bits come in, the right bits come out.
[16:09.300 --> 16:13.400]  Time has not been part of the equation.
[16:13.740 --> 16:20.180]  That is why your computers are allowed to get faster, your phones are allowed to get faster.
[16:20.180 --> 16:25.960]  If you really think about it, a faster computer is doing different things.
[16:25.980 --> 16:29.320]  It is. Before it took this long, now it takes that long.
[16:29.320 --> 16:31.000]  That computer is operating differently.
[16:31.000 --> 16:33.760]  But we define it as operating the same way.
[16:33.760 --> 16:44.220]  So, all of these bugs happen because security has been made to depend on an undefined element.
[16:45.140 --> 16:49.000]  So, context matters.
[16:49.920 --> 16:53.580]  If you'll excuse me hopping to the 30,000 foot view.
[16:53.580 --> 16:57.320]  Are two things the same or are two things different?
[16:57.380 --> 17:02.740]  Depends on the context of what do you mean by same and what do you mean by different.
[17:02.740 --> 17:06.080]  Same thing might be predictable or random based on context.
[17:06.080 --> 17:10.900]  Corporations, relatively predictable, you might even call them plodding.
[17:10.900 --> 17:18.220]  But an executive at a corporation, that guy could quit tomorrow, could have a nervous breakdown.
[17:18.380 --> 17:20.400]  An executive can be erratic.
[17:20.500 --> 17:26.000]  But the actual heart in that executive is actually beating erratically.
[17:26.000 --> 17:29.740]  By a behavioral standpoint, the heartbeat is pretty steady.
[17:29.740 --> 17:36.800]  But a single cell in that otherwise beating heart, that single cell might be erratic.
[17:36.800 --> 17:42.100]  We're talking about the same point in space, the same point in time.
[17:42.480 --> 17:45.380]  Is it predictable? Is it random?
[17:45.380 --> 17:50.720]  It depends on the context in which the question is asked.
[17:50.720 --> 17:54.280]  Are two computers doing the same thing or are they doing different things?
[17:54.280 --> 17:59.300]  Well, it depends. Does time count or does time not count?
[17:59.300 --> 18:02.240]  And there's not a right answer to that.
[18:02.240 --> 18:04.780]  There is no one context.
[18:04.780 --> 18:13.240]  A huge amount of what we do in hacking and what we do in security is we play context off one another.
[18:13.240 --> 18:16.860]  We're like, that context thinks this is stable, that context thinks it's not.
[18:16.860 --> 18:18.540]  They are going to behave in a different way.
[18:18.540 --> 18:21.520]  We said something right down in the middle.
[18:21.940 --> 18:24.640]  Tremendously reliable source of vulnerability.
[18:25.380 --> 18:30.300]  So, the CR-improvers didn't fail when they showed no leakage of information between contexts
[18:30.300 --> 18:33.880]  because the right bits went to the right places.
[18:33.880 --> 18:38.780]  They just weren't being asked to prove these particular elements.
[18:41.390 --> 18:51.320]  The last thing that we did that caused Spectre and Meltdown to occur is what I call the Great Repurposing.
[18:51.320 --> 18:59.180]  We turned a stability boundary into a security boundary and hoped that it would work.
[18:59.180 --> 19:02.340]  Spoiler alert, it did not work.
[19:03.260 --> 19:10.240]  Historically, I know this is going to surprise you guys, most software is pretty bad.
[19:10.240 --> 19:13.440]  Like, it kind of barely works.
[19:13.980 --> 19:17.660]  Historically, most code would crash all the time.
[19:17.660 --> 19:23.340]  The game was making it so it would only crash itself.
[19:23.460 --> 19:31.920]  Like, how do we get it so when the calculator dies, it doesn't take down the server backup.
[19:31.920 --> 19:35.420]  Because I can live without the calculator.
[19:36.000 --> 19:42.680]  So, we did this stuff where all the software was specifically opt-in to the resources that are required.
[19:42.680 --> 19:46.920]  This is my RAM, this is my network connection, this is my stuff.
[19:46.920 --> 19:55.200]  So, when the software blew up and visibly blew up, you could clean up just those parts.
[19:55.960 --> 20:02.660]  So, the theory was that hackers were just kind of a new source of misbehavior.
[20:02.660 --> 20:08.240]  Instead of the software crashing randomly, it was crashing because someone intended it to.
[20:08.240 --> 20:15.980]  But otherwise, we could still see it doing bad stuff and we could still cut just that part off.
[20:15.980 --> 20:19.220]  It kind of worked. It kind of didn't.
[20:19.960 --> 20:22.980]  Here's the thing about hacker misbehavior.
[20:23.400 --> 20:26.520]  Hackers are actually pretty well behaved.
[20:27.000 --> 20:34.440]  You know, when hackers crash code, it doesn't actually crash. It actually does, like, re-control things.
[20:34.460 --> 20:45.460]  So, what hackers are doing is changing smaller things from a computer's perspective that are bigger things from a human's perspective.
[20:45.460 --> 20:57.600]  So, you don't get these random, noisy data structures that immediately cause all these exceptions to fire.
[20:58.200 --> 21:03.200]  Instead, you get nicely well-defined data structures that cause a calculator to pop up.
[21:03.520 --> 21:12.340]  In the context of Spectre and Meltdown, these attackers change time.
[21:12.340 --> 21:16.720]  Which, in this context, is not defined to exist.
[21:16.820 --> 21:25.460]  These operations that might happen fast, might happen slow, fast and slow don't exist in the context of the microprocessor running these instructions.
[21:25.460 --> 21:31.500]  They're allowed to take as long time or as little time to get the data out of memory.
[21:31.600 --> 21:41.440]  So, it means nothing to the chip, but it means everything to the users, to the administrators, to the security models, but nothing in this context.
[21:41.440 --> 21:44.340]  That's what's going on.
[21:44.340 --> 21:57.800]  It's worth noting, by the way, that the exploits in Spectre and Meltdown involve attacking the system timers, which often operate once every 15.6 milliseconds.
[21:58.160 --> 22:01.460]  Kind of a specific number, that 15.6.
[22:01.460 --> 22:06.160]  You take the reciprocal and you end up at 64 frames a second.
[22:06.160 --> 22:14.000]  Because the only thing computers like more than repurposing 60 FPS is powers of 2.
[22:15.180 --> 22:20.520]  So, there's a thing.
[22:20.940 --> 22:24.760]  Spectre and Meltdown leak bits that we would prefer they not.
[22:25.220 --> 22:27.740]  You can't leak bits you do not have.
[22:27.740 --> 22:34.860]  There is a hidden architectural choice in all of these bugs.
[22:34.860 --> 22:37.920]  That architectural choice is decision.
[22:38.260 --> 22:40.200]  It's context switching.
[22:40.500 --> 22:49.980]  What we do with computers generally is we have a tremendous number of contexts in which they're operating.
[22:49.980 --> 22:52.000]  One moment, it's you, the user.
[22:52.000 --> 22:55.760]  Another moment, it's the kernel running some device driver.
[22:55.760 --> 22:58.920]  Another moment, it's the web browser as a whole running something.
[22:58.920 --> 23:03.680]  Another moment, it's JavaScript from an individual page on that web browser.
[23:03.680 --> 23:07.140]  It's constantly flipping around and flitting around.
[23:07.140 --> 23:12.060]  Some of those contexts have special access to data and some of them don't.
[23:12.340 --> 23:21.960]  And we hope the design of our interesting architectures mean when we switch from one context to another, nothing is left over.
[23:21.960 --> 23:25.420]  Now, you can do that.
[23:25.500 --> 23:28.020]  But there is another context.
[23:28.240 --> 23:34.020]  And it kind of goes back to the quote, if you want two security domains, get two computers.
[23:34.300 --> 23:36.100]  You can do that.
[23:36.260 --> 23:38.420]  Computers are small now.
[23:38.420 --> 23:42.380]  Like, I don't know if you guys have seen this stuff coming out of Shenzhen.
[23:42.380 --> 23:43.800]  This is beautiful.
[23:43.800 --> 23:44.440]  Look at this thing.
[23:44.440 --> 23:46.300]  This is 20 bucks.
[23:46.400 --> 23:47.120]  20 bucks.
[23:47.120 --> 23:48.500]  It's got four cores.
[23:48.500 --> 23:50.520]  It's got a half gig of RAM.
[23:50.520 --> 23:52.500]  It's got gigabits.
[23:52.500 --> 23:53.960]  This is ridiculous.
[23:54.100 --> 23:55.260]  Look at this thing.
[23:55.400 --> 23:57.000]  I actually have one here.
[23:57.000 --> 24:02.800]  If you want to know if I bring a camera, I'm like, no, I want you guys to strain your eyes to have to see this.
[24:02.840 --> 24:08.880]  This is like, hey Raspberry Pi, nice job, but here's a real computer.
[24:08.900 --> 24:12.660]  It's got an Intel, it's got Apollo cores, four cores.
[24:12.660 --> 24:14.320]  It's got PCI Express.
[24:14.660 --> 24:20.040]  It's got, you know, let's see, five gigabits, ten gigabits, USB, three.
[24:20.040 --> 24:22.320]  It's got a PCIe port on the back.
[24:22.700 --> 24:31.820]  Like, you know, yes, we can totally go ahead and try to make context switching work.
[24:32.720 --> 24:40.980]  But, you know, instead of trying to pretend like we have a hundred computers, maybe we should just have a hundred computers.
[24:41.260 --> 24:43.440]  We could potentially do that.
[24:43.440 --> 24:57.780]  So, our present approaches to dealing with Spectre and Meltdown has been a little painful.
[24:59.340 --> 25:07.660]  There's a lot of work that we put into making context switching able to be aware that there is a security boundary
[25:07.660 --> 25:16.860]  and that we should not just protect what is visible at the user level or even at the kernel level,
[25:16.860 --> 25:19.500]  but actually what's called the microcode level.
[25:19.500 --> 25:22.800]  So, let me tell you something.
[25:24.440 --> 25:28.580]  Intel chips haven't been running x86 for a long time, okay?
[25:28.580 --> 25:35.920]  Like, there's another operating system underneath every operating system that you run.
[25:35.920 --> 25:42.320]  And that is the operating system that's managing all sorts of this prediction, what memory to grab when.
[25:42.320 --> 25:47.720]  That's the thing that we're interacting with, with all these Spectre and Meltdown patches.
[25:47.720 --> 25:52.140]  It's incredibly painful, and honestly, it's pretty slow.
[25:52.660 --> 25:59.460]  There's a great article from... actually, there's a great proof by the guys from this company, Research in Motion.
[25:59.460 --> 26:00.920]  They made the BlackBerry.
[26:00.920 --> 26:06.880]  They basically made a really compelling argument that the iPhone was totally impossible.
[26:06.940 --> 26:14.520]  And their argument was incredibly compelling right up until the moment that Steve Jobs dropped an iPhone on the table and said,
[26:14.520 --> 26:16.400]  Well, what do you think of that?
[26:16.620 --> 26:26.000]  The iPhone was impossible because, well, we just sort of assumed a certain amount of interactivity required a certain amount of power and electricity and resources.
[26:26.000 --> 26:30.800]  And here's what we were going to get from batteries, and here's how fast batteries have been getting better.
[26:31.200 --> 26:37.860]  And, you know, you intersect all your curves, and you end up with the iPhone will never have a battery life more than 20 minutes.
[26:38.680 --> 26:42.280]  And if all of those assumptions were true, that would have been correct.
[26:42.280 --> 26:44.440]  All of those assumptions were not true.
[26:44.440 --> 27:00.580]  The reason computers got fast is because this microcode layer, these layers that do all of this prediction about what resources are required when, what work can be done in advance, so that you don't need to wait and find out in real time.
[27:00.580 --> 27:04.100]  Like, okay, someone asked for this, and I have to do a bunch of this other work first.
[27:04.440 --> 27:06.680]  The work to be able to be long.
[27:07.100 --> 27:08.660]  Here's the interesting thing.
[27:08.660 --> 27:18.180]  One thing that every class developer is bad at, but the microprocessor guys are masters of, is this will probably work.
[27:19.360 --> 27:22.800]  The microprocessor guys have mostly figured out how to do.
[27:23.260 --> 27:29.220]  We're going to try this because 99.9% of the time is exactly what we're supposed to do.
[27:29.220 --> 27:37.500]  0.1% of the time, it was the exact opposite, and we need to hit the brakes and pull everything back and make it like it never happened in the first place.
[27:37.500 --> 27:40.760]  Pretty much only the chip guys have this working.
[27:40.760 --> 27:54.240]  But man, you ever wonder why Intel chips are really fast, and chips that have the exact same specs, they're just as good memory, they're just as good instruction set, but for some reason everything is slow?
[27:54.240 --> 27:55.640]  That's why.
[27:56.060 --> 27:57.440]  Branch prediction.
[27:58.000 --> 28:00.780]  Because we didn't have the worst machine learning around yet.
[28:00.780 --> 28:03.300]  Oh yes, prediction and learning, of course they're linked.
[28:03.300 --> 28:05.660]  Kind of obvious when you think about it in retrospect.
[28:08.280 --> 28:12.420]  Tangents aside, I like going by tangents, what can I say?
[28:13.820 --> 28:20.860]  We have patched everything in case there's a security boundary.
[28:21.320 --> 28:25.820]  That doesn't actually mean there's always a security boundary.
[28:25.820 --> 28:32.980]  There's a ton of machines where the only user on the device is the administrator.
[28:32.980 --> 28:36.220]  There is no non-root.
[28:36.220 --> 28:43.060]  Or, sometimes the administrator is only not the administrator when they're running a web browser.
[28:43.060 --> 28:50.700]  And some portion of the administrator's code is a non-root, actual non-user.
[28:50.720 --> 29:00.740]  They're still the user, but they're not the user who should run code, they're the user who should run JavaScript under a particular domain name.
[29:00.740 --> 29:04.180]  Under the same origin policy.
[29:06.040 --> 29:20.360]  There's a huge amount of what you might call in the electrical domain, impedance mismatch between the security models that our architectures expose and what we actually do in the real world.
[29:20.360 --> 29:22.480]  Let me tell you, there's nothing about that.
[29:22.480 --> 29:27.280]  The most popular security model in the world is the same origin policy in your web browser.
[29:27.280 --> 29:35.280]  It's the thing that makes it so you can have one tab open for email, and one tab open for news, and the news site can't read your email.
[29:35.400 --> 29:37.380]  Like, someone had to build that.
[29:37.380 --> 29:43.840]  That security model, nowhere to be found in how ships work or how operating systems work.
[29:43.840 --> 29:46.280]  But it's like the most popular thing to do.
[29:47.800 --> 30:00.920]  So, as we work to deal with the horde of bugs that are coming along with Spectre Meltdown.
[30:00.920 --> 30:04.520]  I'm not joking, I think 8 got announced today.
[30:04.600 --> 30:11.460]  We will get a more explicit type of security domain to be declared.
[30:11.460 --> 30:14.860]  It won't look like users, it won't look like processes.
[30:14.860 --> 30:19.600]  It probably won't even be constrained to single machines, because guess what?
[30:19.600 --> 30:30.340]  As you look at the cloud from the large scale, or as you look at, if you want two computers, two security domains get two computers at the small scale.
[30:31.720 --> 30:36.360]  All sorts of resources get lashed together.
[30:36.360 --> 30:46.800]  And the amount of flexibility that we're going to need to declare what is and is not able to manipulate each other.
[30:49.280 --> 30:51.100]  It's going to get complicated.
[30:52.460 --> 30:54.940]  It's going to be interesting to watch it grow though.
[30:56.200 --> 31:02.160]  There's a shocking amount of operating system design work going on out there.
[31:02.600 --> 31:05.380]  I thought I was being all clever, I'm not even going to lie.
[31:05.380 --> 31:07.360]  Oh man, I really found the future.
[31:07.360 --> 31:13.200]  And then it's like the HPC guys are like, get in line Dan, we have figured this out long before you.
[31:13.760 --> 31:17.400]  And why has HPC, High Performance Computing, figured this out?
[31:17.400 --> 31:30.640]  Well it turns out, huge amounts of just how operating systems normally work involve a user-kernel boundary where the user is untrusted and asks the kernel to go do something.
[31:30.640 --> 31:34.280]  This turns out to be ungodly slow.
[31:34.280 --> 31:41.420]  I'm not sure how much of our computer performance we're giving up to this, but it's pretty clearly double-digit.
[31:41.540 --> 31:50.720]  Everything fast goes ahead and just for performance reasons, just for perf, says user-kernel needs to go.
[31:50.720 --> 31:57.880]  So you'll see like, you know, Intel's networking stack, DPDK, will run entirely in user space.
[31:58.100 --> 32:04.200]  There is a Linux web server called Tux, it should be now Sys in Windows.
[32:04.200 --> 32:06.420]  It will run entirely in the kernel.
[32:06.420 --> 32:14.080]  There's a cute little thing, you will know somebody is an old school kernel hacker if they've ever heard of the phrase kernel mode Linux.
[32:14.080 --> 32:17.620]  And you'll know they're a security person because their head just exploded.
[32:19.000 --> 32:22.040]  There's a funny thing called rope kernels.
[32:22.080 --> 32:24.880]  They claim to not have kernels in the kernel.
[32:25.280 --> 32:28.320]  This is not actually true, they totally have all the kernel code.
[32:28.320 --> 32:31.980]  They just don't run the kernel code with a kernel boundary.
[32:31.980 --> 32:34.620]  They run a kernel as a library.
[32:34.780 --> 32:40.540]  There's even a thing called LKL that is Linux run as a library.
[32:40.540 --> 32:41.860]  It's really cool.
[32:41.860 --> 32:45.140]  You run a command, watch Linux boot, you're in Python.
[32:45.340 --> 32:48.940]  Like, you go to the library, but it's Linux, it's kind of neat.
[32:51.580 --> 32:58.020]  There's a giant amount of work going on here because when you look at the HPC space,
[32:58.020 --> 33:01.320]  when you look at all the people that are looking for performance,
[33:01.320 --> 33:07.480]  what they are really saying is, there's a security boundary, but not you.
[33:07.480 --> 33:13.760]  These literally thousands of computers all trust each other.
[33:13.760 --> 33:17.680]  It's not like 500 of the computers over there are run by bad guys,
[33:17.680 --> 33:20.540]  but we want to hopefully still get useful compute out of them.
[33:20.540 --> 33:23.880]  No, they're all mutually trusting.
[33:24.360 --> 33:32.680]  So, there's a thing that security forgets, which is that you can have a place where a wall could be,
[33:32.680 --> 33:35.540]  but you don't always want to put a wall there.
[33:35.540 --> 33:38.320]  Not all walls are a good thing.
[33:39.480 --> 33:44.580]  Build your boundaries to what the actual security model is.
[33:44.580 --> 33:49.640]  Otherwise, you'll have fake boundaries that are just speed bumps for people to jump over.
[33:49.640 --> 33:52.880]  You've just stopped useful work from happening.
[33:53.660 --> 33:56.360]  So, why am I telling you this?
[33:56.380 --> 34:02.260]  Well, me being kind of real here, security that doesn't care about the rest of IT
[34:02.260 --> 34:06.980]  is security that grows increasingly irrelevant.
[34:07.220 --> 34:11.000]  Computing in 2023 is not going to look like computing in 2018.
[34:11.100 --> 34:14.020]  Too much is changing.
[34:14.020 --> 34:22.780]  Like, that gear that I showed you over there was not around like 5 or 10 years ago.
[34:22.780 --> 34:23.960]  That matters.
[34:23.960 --> 34:26.920]  Like, we build things differently now.
[34:26.920 --> 34:34.100]  In fact, computing in 2018 doesn't look like what most people think computing in 2018 looks like.
[34:34.100 --> 34:37.860]  There's a lot of mental models, even among hackers.
[34:38.400 --> 34:43.160]  People are really, really stuck on what they have on their desk.
[34:43.160 --> 34:50.240]  Let me tell you, I go ahead and I rent a machine for $13 that's got a terabyte of RAM.
[34:50.240 --> 34:52.940]  I solve problems differently than you do.
[34:52.940 --> 34:56.880]  Also means I have vulnerabilities different than you expect.
[34:57.280 --> 35:00.780]  So, that's the flip side.
[35:00.780 --> 35:06.860]  If you're just looking for bugs, look for things people think don't matter.
[35:06.980 --> 35:16.880]  Look for time, look for the flawed assumptions that developers have, that operations has,
[35:16.880 --> 35:23.700]  between how people think the system works and how it actually does.
[35:25.160 --> 35:29.660]  Bugs aren't random because their sources aren't random.
[35:29.660 --> 35:37.520]  The mismatch in assumptions starts in the developers thinking their system is working one way and it's really working another.
[35:37.520 --> 35:45.940]  And then, going on, it's what, as a hacker, hackers have to model.
[35:45.940 --> 35:49.520]  Hackers aren't just modeling code. These are not good ones.
[35:49.520 --> 35:53.480]  Hackers are modeling the developers and saying, what did that guy screw up?
[35:53.480 --> 35:57.780]  I tell you, I can't tell you how many...
[35:57.780 --> 35:59.820]  Okay, this is my own process.
[35:59.820 --> 36:03.360]  I used to run a hacking group out of Seattle.
[36:03.440 --> 36:05.440]  We spent a couple of years at Microsoft.
[36:06.320 --> 36:11.300]  Every time I would sit down with a team, I'd just be like, tell me your story.
[36:11.300 --> 36:16.700]  Tell me what you're worried about. Tell me how you think your system works.
[36:17.020 --> 36:20.680]  And you know what I'd do then? I'd shut up and listen.
[36:20.820 --> 36:24.920]  And listen for all the things they didn't talk about.
[36:25.380 --> 36:28.860]  Because that was always where my first bugs came from.
[36:28.860 --> 36:32.680]  It's like, oh, you didn't think of the auth layer? Oh, you didn't think of the storage layer?
[36:32.680 --> 36:34.360]  Oh, you didn't think of the directory layer?
[36:34.360 --> 36:39.720]  You just look for what you see in the code, and what the developer isn't thinking about.
[36:39.720 --> 36:43.360]  Like my favorite one of my audits, going off on a complete tangent.
[36:43.580 --> 36:46.040]  I'm like, reading through the docs.
[36:46.260 --> 36:49.640]  Like, what verb here? Repair.
[36:49.700 --> 36:53.360]  I'm like, hey Bob, what does repair do?
[36:53.360 --> 36:55.400]  Bob gets this look on his face.
[36:55.500 --> 37:00.680]  That's still in there? Yes. So many bugs.
[37:04.420 --> 37:12.000]  People think bug finding is purely a technical task.
[37:12.000 --> 37:15.880]  And it's not, because you're playing with people's assumptions.
[37:15.900 --> 37:24.680]  It's so much more, or at least there is such a strong angle of understand the source, and you'll find the destination.
[37:25.300 --> 37:33.680]  So right now is about a good time to introduce what I'd like to say is the big, catchy, only vaguely correct catchphrase designed to spark interest.
[37:34.240 --> 37:38.520]  There's no such thing as reverse engineering.
[37:40.140 --> 37:44.540]  This is only vaguely true. It's kind of a cute little combination.
[37:44.880 --> 37:46.280]  Let me tell you what I mean.
[37:47.520 --> 37:52.140]  You know how people are like, oh, you know, our team, we only make the car drive left.
[37:52.140 --> 37:55.040]  Right? That's some other guys.
[37:55.180 --> 37:58.960]  It's just my job to get my plane in the air. Who cares if it lands?
[37:59.980 --> 38:02.480]  It's not that there aren't different teams.
[38:02.840 --> 38:05.860]  There could be a different team that handles takeoff and landing.
[38:06.000 --> 38:10.300]  It's just that if you don't care if your work affects the other guys, you're going to crash.
[38:11.720 --> 38:14.880]  So my thesis is there's no reverse engineering.
[38:15.020 --> 38:16.680]  There's no forward engineering.
[38:17.280 --> 38:20.300]  There's just engineering, okay?
[38:20.300 --> 38:28.440]  But we do have cultural elements in engineering that block the integration of forward and reverse.
[38:28.440 --> 38:38.200]  And the primary thing that we seem to do wrong is I think we have aggressively separated development and testing.
[38:38.240 --> 38:41.860]  And it's biting us. It's biting us really hard.
[38:42.620 --> 38:48.300]  Hackers like, you know, I was the director of hacking. I was the director of penetration testing.
[38:48.300 --> 38:51.600]  Hackers like, you know, penetration sounds cool.
[38:51.840 --> 38:57.760]  But no, testing is the important part of that phrase.
[38:57.760 --> 39:03.980]  We are a specific branch of testers that, I don't know, gets on cooler stages or something.
[39:04.600 --> 39:09.500]  Testing shouldn't be split off, but it kind of has been.
[39:09.500 --> 39:17.580]  And it's kind of had to have been because people, when they write code, tend to see that code for what it's supposed to be.
[39:17.580 --> 39:24.740]  And as a tester, you're trying to see it for what it really is because you're doing some things.
[39:26.420 --> 39:39.340]  What this means in practice is that large amounts of tooling in software that tells you what software is really doing are isolated to a different group of people.
[39:39.340 --> 39:54.920]  So the developers who already have a problem psychologically of only seeing what their code is supposed to do are also isolated from all the software that would tell them, no, actually you're doing five other things for what you really shouldn't be.
[39:55.160 --> 39:59.240]  So it creates this enormous bias in developer knowledge.
[39:59.240 --> 40:02.880]  Anything that's too testy goes to the test people.
[40:03.340 --> 40:05.520]  They'll figure it out for us.
[40:05.520 --> 40:10.500]  And what it does, it ends up biasing the generation of a lot of code.
[40:11.640 --> 40:16.340]  And let me actually show you in concrete terms what I mean by this.
[40:17.820 --> 40:23.720]  So, Fortran, ancient language, pretty fast, lets you do a lot of interesting math.
[40:23.720 --> 40:28.200]  Python, convenient language, not so fast, but fast enough, useful.
[40:29.420 --> 40:34.280]  And last step, did anyone here ever use a package called Numba?
[40:36.120 --> 40:39.420]  See, we can't just stick to hacking, okay?
[40:39.420 --> 40:44.020]  Like, there are some tools out there that do some freaking magic.
[40:45.300 --> 40:55.640]  Numba is, as far as I know, the first practical environment for taking what is, you know, Python has a nickname, executable pseudocode.
[40:55.640 --> 41:02.680]  It lets you write Python, and then it does a bunch of magic, and suddenly you have code that's approximately as fast as Fortran.
[41:02.680 --> 41:08.500]  I am not even joking. It is a LLVM CPU-GPU optimizing platform.
[41:09.660 --> 41:13.980]  It is an optimizer, which means it works like most optimizers do.
[41:13.980 --> 41:21.140]  It constrains what it thinks can come in, and given those constraints,
[41:21.140 --> 41:28.460]  throws out a bunch of optional work at runtime, and ends up delivering very fast execution.
[41:31.000 --> 41:36.460]  It's important you think about all of the, what I just said in the context of hacking.
[41:36.820 --> 41:42.180]  What happens when you define your constraints incorrectly?
[41:42.180 --> 41:44.340]  There's a simple answer, vulnerabilities.
[41:44.720 --> 41:50.200]  Stuff blows up. At best, you get the wrong answer.
[41:50.200 --> 41:58.440]  Most commonly, you get undefined behavior, which in the presence of hacking, becomes redefinable behavior.
[42:00.100 --> 42:06.300]  The problem that even Numba has to deal with is that Python is a dynamically typed language.
[42:06.300 --> 42:10.720]  When you have a variable, you don't really know what's going to be in there.
[42:10.720 --> 42:20.180]  So there is some dependency on the developer telling you,
[42:20.180 --> 42:24.680]  2 to the 63, or 2 to the 64, and so on.
[42:24.680 --> 42:31.760]  Now there is some developer pain to go ahead and declare up front what data types are going to be in what place.
[42:31.760 --> 42:35.880]  The whole reason they used Python was they didn't have to declare that.
[42:35.880 --> 42:39.320]  They could just say, there will be something there, figure it out at runtime.
[42:41.040 --> 42:44.480]  Well, a really cute code came out recently.
[42:45.700 --> 42:48.060]  Dropbox wrote something called PyAnnotate.
[42:48.060 --> 42:51.700]  And what PyAnnotate does is it looks at...
[42:51.700 --> 42:55.000]  So you write your code, you write it your normal way as a developer.
[42:55.520 --> 43:00.500]  And you run through the test kit, or you run through production data.
[43:01.400 --> 43:03.920]  And it looks to see what's going through.
[43:03.920 --> 43:09.400]  And it says, ah, this was dynamic, but man, all we get in production is a bunch of floats.
[43:09.400 --> 43:11.640]  This is probably a float type.
[43:11.880 --> 43:14.000]  And here's what's key.
[43:14.140 --> 43:17.480]  It goes ahead and it updates the code.
[43:17.480 --> 43:21.780]  There's actually optional typing information in Python now.
[43:21.780 --> 43:24.300]  That is one of their dev extensions.
[43:24.660 --> 43:27.560]  This is the thing that you don't do.
[43:27.560 --> 43:31.600]  You never have runtime, alter compile time.
[43:31.600 --> 43:35.500]  Only the developer is allowed to actually touch the code.
[43:36.020 --> 43:41.280]  That is an unnecessary constraint.
[43:42.340 --> 43:47.460]  Now, this work has only come up for correctness.
[43:47.460 --> 43:49.760]  It hasn't come up as a means of accelerating number.
[43:50.300 --> 43:54.960]  I'm just getting in front of you guys here saying, oh man, we can make a bunch of code real fast
[43:54.960 --> 43:58.900]  by using PyAnnotate for performance instead of just security.
[44:00.740 --> 44:05.900]  Even the authors of this code consider it appropriate only for legacy.
[44:05.900 --> 44:09.700]  They're like, oh yeah, but the developer should do the right thing.
[44:09.960 --> 44:11.700]  Okay, yeah, it's not vitamins.
[44:11.900 --> 44:15.020]  It's not eating your Wheaties or eating your cereal.
[44:15.020 --> 44:19.400]  There's a job to do, which is to secure millions of lines of code.
[44:19.400 --> 44:20.900]  Let's figure out what we've got to do.
[44:20.900 --> 44:25.620]  And if we can discover stuff at runtime about what needs to be done to keep things secure,
[44:25.620 --> 44:27.880]  yes, do that.
[44:28.900 --> 44:32.840]  Why shouldn't runtime influence code?
[44:33.560 --> 44:36.700]  The approach does seem weird by standard models.
[44:36.700 --> 44:40.580]  It's a little similar to what's called profile-guided optimization.
[44:40.780 --> 44:44.920]  It's where you run a bunch of test code and you spy on what happens.
[44:44.920 --> 44:50.860]  But a lot of profile-guided optimization only lives in the compiler.
[44:50.860 --> 44:53.740]  It doesn't actually touch the source code.
[44:53.740 --> 44:57.200]  What I'm telling you is, no, we should actually update the source.
[44:57.500 --> 45:00.100]  Partially because the developer sometimes needs to say,
[45:00.100 --> 45:05.440]  no, it's just all floats today, sometimes they're big floats,
[45:05.440 --> 45:08.800]  sometimes they're integers, sometimes they're this, sometimes they're that.
[45:08.800 --> 45:10.960]  Developers don't know nothing.
[45:11.540 --> 45:14.360]  It is a little bit of pair programming with the machine,
[45:14.360 --> 45:19.300]  but if anyone here has ever coded for Android and you hit that tab key a lot,
[45:19.300 --> 45:21.040]  it's not like that's that new.
[45:23.900 --> 45:28.900]  It's important to realize that we are loosening the assumption
[45:28.900 --> 45:33.860]  that the developer knows what the system is supposed to do.
[45:33.860 --> 45:36.980]  See, we think we're the only ones as hackers that are ignorant.
[45:36.980 --> 45:41.560]  But the truth is, everyone who touches the computer is a little bit ignorant.
[45:42.200 --> 45:47.880]  Developer tools are weird, though, because they are the things that assume the developer is right.
[45:47.880 --> 45:50.560]  Because that's what you do in optimization.
[45:50.620 --> 45:54.980]  In optimization, you assume, okay, they have told me exactly what I need,
[45:54.980 --> 45:58.940]  I can throw out every handler, I can throw out every other possible path,
[45:58.940 --> 46:04.060]  let me just do the thing that my ground source of correctness and truth and loveliness,
[46:04.060 --> 46:05.580]  the developer has said.
[46:05.580 --> 46:09.680]  And any day, hacker tools don't do that.
[46:09.680 --> 46:12.540]  Hacker tools are all like, let's figure out how the hacker screwed things up,
[46:12.540 --> 46:14.580]  how the developer screwed things up.
[46:14.660 --> 46:16.120]  Because sometimes it works.
[46:17.680 --> 46:20.680]  All of our tools are incomplete.
[46:20.680 --> 46:24.180]  All of our tools are blind.
[46:25.060 --> 46:29.920]  The one concrete difference between reverse engineering and normal engineering
[46:29.920 --> 46:33.360]  is do you have the source code?
[46:35.000 --> 46:39.440]  I know this one guy, he's going to laugh when he finally sees these slides,
[46:39.440 --> 46:43.360]  he doesn't even bother with source if it's a C++ code on it.
[46:43.360 --> 46:48.880]  He's like, man, C++ lies to your face. Forget it.
[46:48.880 --> 46:51.420]  What is the computer executing? Binary.
[46:51.420 --> 46:53.560]  What am I going to read? Binary.
[46:53.580 --> 46:59.340]  That way, whatever I happen to get out of it, at least me and the CPU are on the same page.
[46:59.340 --> 47:02.620]  Forget what the developer thought, he doesn't know what's happening anyway.
[47:02.620 --> 47:07.480]  You know what, that guy wrecks code. He really quite does.
[47:08.640 --> 47:13.520]  So, one of the directions that I'm moving in, in building tooling
[47:13.520 --> 47:19.480]  that really unifies the building and breaking mindset,
[47:21.080 --> 47:26.220]  I'm a little tired, if I'm using an open source platform,
[47:26.220 --> 47:30.180]  why can't I see the source every time something crashes?
[47:30.180 --> 47:34.780]  I mean, yes, I can compile my particular app, but you know, it's got a library,
[47:34.780 --> 47:36.420]  and then, oops, it didn't have the source.
[47:36.420 --> 47:39.800]  Or it's calling into glibc, and oops, it didn't have the source.
[47:39.800 --> 47:42.580]  Or it's calling into the kernel, and oops, that didn't have the source.
[47:42.580 --> 47:43.980]  This is ridiculous.
[47:44.220 --> 47:51.800]  Like, yes, I understand the tools did not want to take a hard dependency on source being available.
[47:51.800 --> 47:56.080]  I once went into a SSD manufacturing plant,
[47:56.080 --> 48:00.500]  and I'm like, I want to audit your SSD from top to bottom.
[48:00.500 --> 48:03.340]  And they just looked at me with these sad eyes,
[48:03.340 --> 48:07.300]  and I think they basically finally got out,
[48:07.300 --> 48:10.200]  there probably is not a company in the world
[48:10.200 --> 48:14.840]  that has all the source code required to make a solid state disk.
[48:15.060 --> 48:19.340]  Each of them passes a binary blob onto the next,
[48:19.340 --> 48:23.960]  so that they won't be factored out of the manufacturing equation.
[48:23.960 --> 48:27.440]  We have a little bit of that going on in software,
[48:27.440 --> 48:31.380]  but it's unnecessary, because in software we have environments like Gen 2,
[48:31.380 --> 48:35.620]  where you can say, I need you to compile everything.
[48:35.640 --> 48:39.940]  And I need you to put all the source code right there.
[48:40.000 --> 48:43.580]  So I've been playing with, what's it like having source code access
[48:43.580 --> 48:45.480]  to absolutely everything in a system?
[48:45.480 --> 48:47.360]  Oh my god, it's awesome.
[48:48.200 --> 48:51.440]  Like, error messages are terrible.
[48:53.660 --> 48:56.400]  Developers pretend they know what they're telling me.
[48:56.400 --> 49:00.200]  Oh, it's because you forgot to set this flag on this thing.
[49:00.980 --> 49:02.840]  They're making random noises.
[49:02.840 --> 49:05.400]  Show me the source code that's crashing.
[49:05.400 --> 49:07.460]  And so this is the middle of SSH,
[49:07.460 --> 49:09.180]  and this is the middle of TLIPC,
[49:09.180 --> 49:11.380]  and I just have a nice, consistent,
[49:11.380 --> 49:14.980]  if it blows up, I get to see why.
[49:15.300 --> 49:16.940]  It's lovely.
[49:16.940 --> 49:20.460]  It's lovely for hacking, it's lovely for development, to be honest.
[49:20.460 --> 49:23.180]  And I mean, in this scale, it's whatever's on that machine.
[49:23.180 --> 49:25.800]  So it's running on SSH, a little tiny thing,
[49:25.800 --> 49:28.540]  it's running on Chromium, frankly,
[49:28.540 --> 49:31.460]  an operating system larger than Gen 2 in the first place.
[49:32.640 --> 49:35.240]  So I like to joke, ADB is old and busted,
[49:35.240 --> 49:37.140]  APD is the new hotness,
[49:37.140 --> 49:38.980]  always be debugging.
[49:40.260 --> 49:41.660]  It's a legitimate question.
[49:41.660 --> 49:43.300]  If you're always running a debugger,
[49:43.300 --> 49:45.900]  sometimes that code is running in the kernel,
[49:45.900 --> 49:48.820]  sometimes that code requires permissions to look at.
[49:48.820 --> 49:51.280]  You know, are you going to be typing sudo all the time?
[49:51.280 --> 49:52.800]  Like, are you going to be getting root?
[49:55.380 --> 49:56.260]  Okay.
[49:56.800 --> 49:59.940]  You ever get the feeling it's easier to be root
[49:59.940 --> 50:02.500]  on someone else's machine?
[50:02.500 --> 50:05.880]  Because, like, you have root for, like, a year somewhere else,
[50:05.880 --> 50:07.500]  but you are typing sudo,
[50:07.500 --> 50:11.280]  you're getting root, like, one line at a time.
[50:11.280 --> 50:13.960]  Like, I need to do something as an administrator.
[50:13.960 --> 50:16.160]  I need to do something as an administrator again.
[50:16.160 --> 50:19.000]  No, I'm still doing something as an administrator.
[50:19.000 --> 50:22.280]  It's an awful user interface
[50:22.280 --> 50:25.420]  when your work as a hacker
[50:26.620 --> 50:28.600]  involves constantly having to do things
[50:28.600 --> 50:30.120]  that alter the machine state
[50:30.120 --> 50:33.340]  and therefore constantly require root permissions.
[50:33.500 --> 50:36.140]  And by the way, you get such a wide variety
[50:36.140 --> 50:38.380]  of broken software behaviors.
[50:38.380 --> 50:39.680]  So, like, here's Wireshark.
[50:39.680 --> 50:41.980]  If you run it as a user, you know,
[50:41.980 --> 50:44.400]  it doesn't give you any prompt, it just runs.
[50:44.400 --> 50:46.240]  You can, you know, you can, like, listen remotely
[50:46.240 --> 50:48.560]  to, like, a Cisco remote pack capture.
[50:49.160 --> 50:50.720]  But with Wireshark,
[50:50.720 --> 50:52.020]  I want to listen to packets
[50:52.020 --> 50:55.320]  on interfaces on my machine.
[50:55.320 --> 50:59.300]  That's why I'm running the network snipper.
[50:59.620 --> 51:02.120]  Where's my local interfaces?
[51:02.140 --> 51:03.800]  Oh, well, then you need to run as root.
[51:03.940 --> 51:06.320]  But if you do that, you get a big, scary message
[51:06.320 --> 51:09.120]  that says, I'm not going to let you run code in Lua.
[51:09.120 --> 51:10.800]  It's okay, I hate Lua.
[51:12.220 --> 51:14.620]  It's not true, I actually think Lua is okay.
[51:14.780 --> 51:17.100]  You can embed it, therefore it's interesting.
[51:17.280 --> 51:20.340]  But, like, this is this really common thing
[51:20.340 --> 51:21.940]  where we have a security model
[51:21.940 --> 51:24.200]  that assumes that I've got, like,
[51:24.200 --> 51:25.840]  20 people on my machine
[51:26.880 --> 51:29.200]  and I'm the only one who should be able to be root
[51:29.200 --> 51:30.280]  controlling them.
[51:30.280 --> 51:32.940]  Let me tell you, if I've got 20 people on my machine,
[51:32.940 --> 51:35.640]  I've got 20 people with root on my machine.
[51:35.920 --> 51:37.200]  I'm in trouble.
[51:39.380 --> 51:42.300]  So, Linux knows this is a problem.
[51:42.300 --> 51:43.620]  They kind of hide and fix.
[51:43.620 --> 51:46.140]  You have to, like, declare that it's an embedded machine
[51:46.140 --> 51:47.700]  because they don't want you to know it's there.
[51:47.700 --> 51:50.080]  And then you go into this, like, advanced mode
[51:50.080 --> 51:52.440]  and up, up, down, down, left, right, left, right,
[51:52.440 --> 51:54.000]  B, A, B, A, select, start.
[51:54.080 --> 51:56.620]  And, like, you end up with this checkbox
[51:56.620 --> 51:59.440]  that has multiple user groups and capability support.
[51:59.800 --> 52:00.600]  You know what that means?
[52:00.600 --> 52:04.080]  You uncheck that and all, like, the user root stuff goes away.
[52:04.140 --> 52:06.160]  You would think it's lovely,
[52:06.160 --> 52:09.100]  but man, all this code complains.
[52:09.360 --> 52:11.480]  So this, this is my solution.
[52:11.480 --> 52:13.620]  This is going to be sudo 2.0.
[52:13.820 --> 52:15.620]  I'm going to have, like, a key.
[52:15.620 --> 52:16.520]  I'm going to have a button.
[52:16.520 --> 52:18.680]  I'm going to have, like, three rocker switches.
[52:18.840 --> 52:20.700]  And then you know what I'm going to have?
[52:20.700 --> 52:22.500]  I'm going to have root now,
[52:22.500 --> 52:24.760]  and then, like, in my next prompt
[52:24.760 --> 52:26.060]  and in my next terminal window
[52:26.060 --> 52:28.420]  until I happen to, like, shut it down.
[52:28.420 --> 52:29.980]  And don't say it's less secure.
[52:30.180 --> 52:33.400]  This is way more work than typing sudo.
[52:33.960 --> 52:36.860]  Now, yes, I'm being silly.
[52:37.020 --> 52:39.640]  But so is this security model,
[52:39.640 --> 52:41.640]  and so is all this stuff we're doing with sudo.
[52:41.640 --> 52:43.800]  This is not reflecting reality.
[52:44.640 --> 52:47.200]  There is an implementation quirk.
[52:47.780 --> 52:50.620]  You can't just make all actions happen as root
[52:50.620 --> 52:53.740]  because software will complain like Wireshark complained.
[52:54.040 --> 52:55.840]  You have to do something weird
[52:55.840 --> 52:58.360]  and then bring it up without the code done
[52:58.360 --> 52:59.820]  because basically I'm recruiting.
[52:59.820 --> 53:02.560]  It's something I'm going to work on in the Blue Team Village after this.
[53:02.560 --> 53:04.000]  Come by and hang out.
[53:06.380 --> 53:08.300]  Effectively, what you need to do is
[53:09.580 --> 53:12.160]  allow action to happen as a non-root user,
[53:12.160 --> 53:15.520]  but mysteriously, all the permissions checks go through.
[53:15.780 --> 53:17.040]  It's okay, it's secure.
[53:17.040 --> 53:18.880]  Those rocker switches with the flips,
[53:18.880 --> 53:21.640]  there's an LED at the end. The LED makes it secure.
[53:23.300 --> 53:26.880]  Having kind of a faking root environment seems weird,
[53:26.880 --> 53:30.080]  but guess what? It's what we're doing with virtual machines.
[53:30.080 --> 53:31.840]  It's what we're doing with containers.
[53:31.840 --> 53:34.360]  Do you know why Docker is so popular?
[53:34.360 --> 53:37.860]  Because the app you get installed freaking works again.
[53:38.840 --> 53:41.300]  Katlin Linux, the first time you get an operating system
[53:41.300 --> 53:42.860]  that's totally designed by hackers, we're like,
[53:42.860 --> 53:44.980]  oh, screw that. That thing's a mess.
[53:45.200 --> 53:47.300]  Like, this is what's going on.
[53:48.480 --> 53:49.840]  Jupyter is probably...
[53:50.500 --> 53:52.180]  I don't know if you guys have ever used Jupyter.
[53:52.180 --> 53:55.080]  It is now how I tell people to start learning how to use code.
[53:55.080 --> 53:58.700]  It is a web-based interface for Python and data science.
[53:58.700 --> 53:59.620]  It is lovely.
[53:59.620 --> 54:03.920]  It's all the gunk of go ahead and start playing with code
[54:03.920 --> 54:07.560]  and turn it into logo from back in the day.
[54:07.560 --> 54:08.940]  It's great.
[54:09.480 --> 54:12.620]  But there's no way inside of Jupyter to add a package
[54:12.620 --> 54:15.760]  because that would require root.
[54:15.760 --> 54:18.420]  So you've got the most usable environment
[54:18.420 --> 54:22.000]  and it's missing actually some key functionality.
[54:22.000 --> 54:24.840]  And it's because of us. It's our fault.
[54:25.000 --> 54:28.160]  We need to stop breaking the rest of computing.
[54:28.160 --> 54:33.200]  Now there is a reason why things are this way.
[54:33.220 --> 54:36.460]  You know, you can't just say, like,
[54:36.460 --> 54:38.520]  why are people so stupid?
[54:38.520 --> 54:40.580]  Well, usually there's a reason.
[54:40.960 --> 54:45.000]  Usually when you give people who are just learning computing
[54:46.080 --> 54:50.440]  root access, the first thing they do is totally destroy their computer.
[54:50.700 --> 54:52.180]  This is true.
[54:52.220 --> 54:56.660]  And so we've evolved this model that will give you just a little bit of functionality.
[54:56.660 --> 54:58.640]  And we'll kind of have, like, a talent bar.
[54:58.680 --> 55:03.440]  You have to get this good before you get, like, real access to the system.
[55:03.760 --> 55:06.220]  It's not a security model as much as it is
[55:06.220 --> 55:07.980]  we don't want to get called in the middle of the night
[55:07.980 --> 55:10.620]  because the user's broke something again.
[55:12.280 --> 55:15.360]  Yes, you can do that and have a talent bar for users
[55:15.360 --> 55:19.440]  or you can make it just really easy to fix stuff.
[55:19.740 --> 55:21.380]  Check out this little stunt.
[55:21.380 --> 55:24.760]  So, I've been working on something called Inception.
[55:25.280 --> 55:26.680]  Forging the universe.
[55:26.920 --> 55:31.740]  I wanted to see, is it possible to take a fully configured, fully running machine
[55:32.680 --> 55:36.160]  that maybe a user doesn't want to break but does want to try something on
[55:37.000 --> 55:38.440]  and fork a copy?
[55:38.440 --> 55:42.140]  With the existing configuration, with everything in place.
[55:42.140 --> 55:47.440]  Now, I would love to do it with the present, you know, the exact moment of the flip.
[55:47.440 --> 55:51.560]  But here's how I got it working, just booting into the system
[55:52.020 --> 55:53.940]  that has already been configured.
[55:54.260 --> 55:57.520]  So here we are, we've got a stock little Ubuntu box.
[55:57.520 --> 56:00.760]  Couldn't really have live demos here. It's okay, there's no time for them anyway.
[56:02.100 --> 56:04.540]  I promised that I was going to show some code.
[56:04.540 --> 56:07.320]  Here's why you don't show code in the middle of a talk.
[56:08.020 --> 56:10.260]  But let me tell you what's happening here.
[56:10.460 --> 56:16.720]  There's a super obscure, elementary kernel module called DattoBD.
[56:16.720 --> 56:18.740]  It's the Datto block device.
[56:18.840 --> 56:22.740]  There are other ways to do this using the DMMapper functionality in Linux,
[56:22.740 --> 56:25.640]  but I'm using Datto because it's cool.
[56:26.400 --> 56:30.020]  Datto lets you basically say, I need to make a backup.
[56:30.980 --> 56:35.040]  And you know, when you backup a hard drive, it needs to be like a point in time.
[56:35.040 --> 56:38.520]  You can't have like, this file was what it was at the beginning of the backup,
[56:38.520 --> 56:40.780]  and this file was what it was at the end of the backup.
[56:40.780 --> 56:42.660]  Your system will not boot.
[56:42.660 --> 56:44.800]  You need to be able to take a snapshot.
[56:44.800 --> 56:50.420]  Datto is interesting because it allows you to snapshot a disk
[56:50.420 --> 56:56.840]  and not have some other disk required to store content as well, to store the changes.
[56:56.840 --> 56:58.920]  It's just a more stable variant.
[56:59.220 --> 57:03.580]  What we do in here is we take a snapshot of the running disk,
[57:03.580 --> 57:06.080]  and it's a read-only snapshot. You're not able to write to it.
[57:06.080 --> 57:08.060]  But virtual machines don't care.
[57:08.060 --> 57:10.240]  They can totally be like, read-only, that's fine.
[57:10.240 --> 57:12.360]  I'll get my reads from over here,
[57:12.360 --> 57:16.460]  I'll put any writes over there, so it's called a copy-on-write approach.
[57:16.760 --> 57:22.280]  So, I get myself a read-only copy of the disk,
[57:22.280 --> 57:25.520]  I make snapshots of my EFI partition,
[57:25.520 --> 57:27.520]  in this new thing, UEFI,
[57:27.520 --> 57:28.960]  it's a disaster.
[57:29.700 --> 57:30.740]  Terrible.
[57:31.240 --> 57:37.380]  We make a copy-on-write copy of the Datto environment,
[57:37.380 --> 57:39.320]  and then we boot a VM.
[57:39.640 --> 57:41.080]  And you know what happens?
[57:41.080 --> 57:44.660]  You just get that system.
[57:44.660 --> 57:46.500]  That exact system.
[57:46.980 --> 57:49.460]  And you're even rooted in it.
[57:49.460 --> 57:51.600]  You get to test whatever you want,
[57:51.600 --> 57:53.480]  you get to explore whatever you want,
[57:53.480 --> 57:55.320]  you can't break anything.
[57:55.320 --> 57:57.240]  It's lovely.
[57:57.600 --> 57:58.400]  It's rooted.
[57:58.640 --> 58:00.240]  Nothing bad can happen.
[58:02.380 --> 58:05.220]  Remember earlier I told you,
[58:05.980 --> 58:09.500]  you can context switch,
[58:09.500 --> 58:13.920]  or you can just have other computers.
[58:14.020 --> 58:15.840]  All this is about persistence,
[58:15.840 --> 58:19.140]  all this is about managing how much damage can happen where.
[58:19.240 --> 58:23.360]  I want to leave you guys on kind of a down note.
[58:24.700 --> 58:26.940]  I have a hard question.
[58:27.580 --> 58:31.140]  Why are we vulnerable to ransomware?
[58:31.140 --> 58:32.700]  Why is it a problem?
[58:32.800 --> 58:36.400]  Like, why is it possible for all of our data
[58:36.400 --> 58:39.440]  to be deleted all at once?
[58:39.440 --> 58:43.440]  Why is it possible for anyone even maliciously to wreck everything?
[58:43.440 --> 58:46.340]  Like, who is this a feature for?
[58:46.340 --> 58:48.320]  You might say, oh, you're going to run out of storage.
[58:48.320 --> 58:48.920]  Really?
[58:48.920 --> 58:52.360]  Like an 8 terabyte hard drive is like 50 US dollars.
[58:52.360 --> 58:57.040]  Like, your entire companies are not generating data fast enough.
[58:57.040 --> 59:02.300]  They could log every single bit 100 times over without exaggeration,
[59:02.300 --> 59:06.640]  and not spend nearly as much money as a single ransomware cleanup.
[59:07.100 --> 59:14.100]  What's going on is we have all of this leakage of capability to lose data.
[59:14.100 --> 59:17.900]  We have too many people able to break stuff.
[59:18.440 --> 59:24.360]  And as we look at the underlying capabilities of computers,
[59:24.360 --> 59:28.520]  realize we're not just as hackers able to break things.
[59:28.520 --> 59:33.780]  We're able to redefine them so they can't be broken in the first place.
[59:33.780 --> 59:36.480]  So let me leave you with some closing thoughts.
[59:36.740 --> 59:40.720]  We should not be separating development and testing.
[59:40.720 --> 59:43.760]  Guys, at the end of the day, computers are capable of magic,
[59:43.760 --> 59:47.160]  and we're just all trying to make the magic our magic,
[59:47.160 --> 59:48.720]  and not some bad guy's.
[59:49.000 --> 59:52.980]  Our hardest problems in security require a layment
[59:53.320 --> 59:57.440]  between how we build systems and how we verify them.
[59:57.440 --> 01:00:03.040]  And our best solutions in technology are going to require understanding the past,
[01:00:03.040 --> 01:00:08.500]  how we got here, how we really got here, even if it's from the 1890s.
[01:00:08.660 --> 01:00:13.980]  We're going to have to understand what is a unnecessary presumption,
[01:00:13.980 --> 01:00:17.600]  and what, oh no, we really shouldn't touch because we could screw this up.
[01:00:18.960 --> 01:00:22.140]  All that matters is how we protect users,
[01:00:22.140 --> 01:00:26.960]  and I look forward to seeing how everyone here makes the world better.
[01:00:26.960 --> 01:00:27.620]  Thank you.
